Skip to content

Add MRAC (Memory Region Access Control) emulation#3656

Open
iyernaveenr wants to merge 1 commit intochipsalliance:mainfrom
iyernaveenr:naveen_r_iyer/mrac_emulation
Open

Add MRAC (Memory Region Access Control) emulation#3656
iyernaveenr wants to merge 1 commit intochipsalliance:mainfrom
iyernaveenr:naveen_r_iyer/mrac_emulation

Conversation

@iyernaveenr
Copy link
Copy Markdown
Contributor

@iyernaveenr iyernaveenr commented Apr 24, 2026
edited
Loading

Add MRAC (Memory Region Access Control) emulation

Implements MRAC CSR (0x7C0) support in the VeeR EL2 emulator, as described in the VeeR EL2 spec.

What this does

The 32-bit address space is split into 16 fixed 256MB regions, each with 2 control bits in the MRAC CSR:

  • Cacheable (bit Y*2): idempotent region. Reads are widened to 64-bit aligned double-word (two 32-bit reads on the delegate bus).
  • Side-effect (bit Y*2+1): non-idempotent region. Only word-aligned word-sized accesses are allowed. Misaligned or sub-word accesses return LoadAddrMisaligned/StoreAddrMisaligned.
  • Both bits set (11): illegal, silently mapped to side-effect only (10) on CSR write.

Implementation

  1. MracBus<TBus: Bus> wrapper in sw-emulator/lib/bus/src/mrac_bus.rs that intercepts reads/writes and enforces the region access rules before delegating to the inner bus.

  2. MRAC CSR (0x7C0) added to CsrFile with a shared Rc<Cell<u32>> that syncs CSR writes to the bus wrapper.

  3. --mrac CLI flag on the emulator binary. When enabled, MRAC enforcement is active. When disabled (default), all accesses pass through unchanged.

Why this matters

Without MRAC enforcement, the emulator does not detect access pattern bugs that would fail on real hardware. For example, reading a mailbox register at offset 4 in a non-side-effect region triggers a widened 64-bit read that also reads the adjacent lock register at offset 0 -- silently acquiring the lock. The side-effect flag prevents this by restricting reads to the exact requested address.

hw-model integration

The hw-model (model_emulated.rs) is also wrapped in MracBus, but with enforcement disabled by default. This allows the infrastructure to be in place for future enabling. When enabled (MracBus::new(..., true)), 4 out of 30 hw-model tests fail due to mailbox access patterns that do not set the MRAC side-effect flag -- confirming that MRAC enforcement catches real access bugs. Enabling by default requires firmware/test updates to configure MRAC CSR correctly.

Tests

9 unit tests covering:

  • Side-effect region: byte/halfword/misaligned rejected, word-aligned accepted
  • Cacheable region: reads widened to 64-bit double-word
  • Disabled passthrough, no-flags passthrough
  • Mailbox lock: cacheable region causes spurious lock acquisition
  • Mailbox lock: side-effect region prevents spurious lock acquisition

Files changed

  • sw-emulator/lib/bus/src/mrac_bus.rs - new MracBus wrapper + 9 unit tests
  • sw-emulator/lib/bus/src/lib.rs - added mrac_bus module + export
  • sw-emulator/lib/cpu/src/csr_file.rs - added MRAC CSR (0x7C0)
  • sw-emulator/lib/cpu/src/cpu.rs - added mrac param to Cpu::new
  • sw-emulator/app/src/main.rs - --mrac CLI flag, MracBus wrapping
  • sw-emulator/app/src/gdb/gdb_target.rs - updated Cpu type
  • sw-emulator/compliance-test/src/main.rs - updated Cpu::new calls
  • sw-emulator/lib/cpu/src/instr/test_macros.rs - updated Cpu::new calls
  • hw-model/src/model_emulated.rs - wrapped in MracBus (disabled by default), updated all bus access paths

Closes #3601

@iyernaveenr iyernaveenr force-pushed the naveen_r_iyer/mrac_emulation branch 2 times, most recently from 1729a0c to dae5a65 Compare April 24, 2026 01:32
@iyernaveenr
Add MRAC (Memory Region Access Control) emulation
42edadc 
Add optional emulation of the VeeR EL2 MRAC CSR (0x7C0) as a Bus
wrapper that enforces per-region access rules:

- Side-effect regions: reject non-word-aligned or non-word-sized access
- Cacheable regions: widen reads to 64-bit aligned double-word fetches
- Illegal combination (cacheable+sideeffect) mapped to sideeffect-only
- Off by default (MracBus wraps inner bus, disabled flag bypasses checks)

Add MRAC CSR to CsrFile with shared Rc<Cell<u32>> for synchronization
between the CSR write path and the MracBus enforcement layer.

Closes: chipsalliance#3601

Signed-off-by: Naveen R. Iyer <iyernaveenr@gmail.com>
@iyernaveenr iyernaveenr force-pushed the naveen_r_iyer/mrac_emulation branch from dae5a65 to 42edadc Compare April 24, 2026 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@korran korran Awaiting requested review from korran korran is a code owner

@fdamato fdamato Awaiting requested review from fdamato fdamato is a code owner

@jlmahowa-amd jlmahowa-amd Awaiting requested review from jlmahowa-amd jlmahowa-amd is a code owner

@mhatrevi mhatrevi Awaiting requested review from mhatrevi mhatrevi is a code owner

@jhand2 jhand2 Awaiting requested review from jhand2 jhand2 is a code owner

@swenson swenson Awaiting requested review from swenson swenson is a code owner

@vsonims vsonims Awaiting requested review from vsonims vsonims is a code owner

@zhalvorsen zhalvorsen Awaiting requested review from zhalvorsen zhalvorsen is a code owner

@timothytrippel timothytrippel Awaiting requested review from timothytrippel timothytrippel is a code owner

@ajisaxena ajisaxena Awaiting requested review from ajisaxena ajisaxena is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MRAC emulation in CPU

1 participant

@iyernaveenr